Your Supply Chain is the backbone of your business - without it, you'd struggle to meet the demands of your customers and be able to deliver products and services quickly and efficiently.
Important as they are, they do have the potential to put your business at risk.
These risks come in all shapes and sizes but one of the most serious and particularly relevant in this digital age, is the cyber risk.
The truth is if you're juggling tens, hundreds, even thousands of suppliers, the odds are not in your favour - all it takes is one weakness in a supplier's security, and cybercriminals could find a way in, accessing your supplier's systems and data as well as your own.
The alarm has been raised with recent supply chain attacks in the news, and businesses are starting to look to their supply chains and wondering...
"How secure am I really?"
But how do you find out how secure your suppliers are? Do you just take their word for it? That doesn't seem like the smartest move when your own business could be at stake.
Businesses are being encouraged to actually vet their suppliers - whether that's their current ones or ones they're entering into new contracts with - to make sure their cybersecurity is at an adequate level.
The Government Breaches Survey in 2020 found that many businesses and organisations aren't too sure what they should really be asking their suppliers when it came to cybersecurity.
So let's break down the key areas you might want to think about when assessing how secure your suppliers are...
First on the list is data protection, and it's first for a reason. You need to make sure your suppliers are complying with all the relevant data protection legislation like GDPR.
If they aren't compliant in their processing activities and suffer a breach, you could be held liable and receive fines from the ICO.
It's also important to make sure third parties have an established framework to prevent against data leakage and corruption. Data can be protected through a combination of encryption and data loss techniques.
As a business that shares data with third parties, it's a good idea to properly classify your data and define where it's coming from and where it's going. Then you can establish a secure channel through which data can be transferred.
Do your suppliers have security policies in place at their company?
There are lots of different kinds of policies a business can draw up regarding cybersecurity and having them is very important for protecting an organisation.
Policies are a good way to know that your suppliers are addressing common threats and making sure their employees are well equipped for dealing with them. You may also want to find out how often your supplier is reviewing and updating their policies.
Some common security policies include:
Patching Policy: Establishes which software requires patching and how this will be carried out.
Home Users Policy: How the business will handle security and access for employees that are working at home or on personal devices. This will have been especially important during the pandemic.
Password Policy: Guidance for employees on things like requirements for a secure password and how password changes will work at the company.
Internet and Social Media Policy: Rules on how employees will use the company network and social media to stay secure and avoid putting the company at risk.
Exiting Employee Policy: How a company handles the termination of a leaving employee's access to company data and systems.
Insider threat and human error can often be the primary or at least contributing cause for supply chain attacks.
People are an organisation's biggest asset but they are a risk.
When considering your suppliers' personnel security you'll want to know if they're performing adequate background checks on new employees or personnel from any external agency and check they're doing so BEFORE they are given access to your information and/or systems.
You should also make sure your suppliers are giving their personnel proper cybersecurity awareness training and ensure they review all security policies, confirming they understand fully and will comply. Are personnel required to sign confidentiality agreements?
Finally, on employee termination, check your supplier has a process in place for removing that person's access to data and systems.
Perhaps the most important aspect of supply chain management when it comes to cybersecurity is knowing which of your suppliers has access to what data, as this can help you determine their risk.
If a supplier is regularly accessing highly sensitive data, you'll want to make sure they know how to control access within their company.
The general guidance relating to access control is that administrative access should be limited and people should only have access to that which they need for performing their job role or task.
Your supplier should be transparent with you about who has access to your data within their company, keeping an up-to-date list of users and what they can access. These should be regularly reviewed and updated if necessary.
It may also be a good idea to know if your supplier monitors users' systems and their activities. Are failed login attempts recorded? What's the process for dealing with them?
Your supplier should keep an inventory listing all their assets (including physical, software, information, services and people) and locations to ensure assets are properly protected. This should then be reviewed periodically to check its accuracy.
Any unauthorised assets can be removed from the network and ensure that only software applications and operating systems that are currently supported are being used.
It's important to have good classification methods of assets as well - these will determine things like user access and how information assets are handled and stored. Know what your suppliers' processes are for these things.
Risk & Incident Management
Of course, no one wants to deal with a cyber incident. But it's good to be prepared.
A combination of preventative and reactive techniques are things to look for in a supplier's risk and incident management.
Are your suppliers aware of the cyber risks they could face as a business?
Supply Chain risk management is an essential part of your supply chain security and assessing your suppliers' risks is the first step.
You should expect your supplier to carry out regular risk assessments, providing reports so you can understand the greater risks within your supply chain. Suppliers should then make updates should be made to policies and processes where appropriate.
If there are obvious risks that a supplier has detected, they should be clear with you as to what mitigation strategies they have implemented in response.
If, for whatever reason, your supplier has risks that they are unable to remediate and could impact your business or other parts of your supply chain, they should notify you immediately and you can then decide what actions to take.
Now what about preparing for an actual incident...
First, who is in charge of incident response at your supplier's company? Have they received proper training?
Suppliers should have clear response plans in which they have outlined a worst-case scenario and the steps that should be taken in a realistic timeframe in order to resume business as usual.
Depending on the level of service required from a certain supplier, or the sensitivity of the data they can access, you'll want to know they have proportional incident response procedures in place.
Make sure you are clear with your supplier what you expect from them in the case of an incident. There should be a clear point of contact that will notify your business if the supplier's company experiences a data breach, and they should do without unreasonable delay.
Finally, find out if your supplier has cyber insurance and what kind of cover it involves. You may wish to make this a requirement for working with you if they work with you on a particularly high level.
Has your supplier implemented suitable software for detecting, preventing and/or removing malware such as viruses, trojans and worms?
It should be a standard requirement that your supplier has installed anti-malware on all key system components including, but not limited to, entry points and server systems.
Earlier I mentioned the importance of making sure your supplier is compliant with things like GDPR but there may be other areas of compliance to consider. For example, your supplier can demonstrate a good level of cybersecurity by having achieved a cyber certification like Cyber Essentials.
If they are complying with standards like these, you can be quickly reassured by seeing that your supplier is aligned with a standard of cybersecurity deemed good enough by government organisations like the National Cyber Security Centre.
So what now?
We've covered a lot of different areas, and only really touched the surface!
The truth is, how secure you need your suppliers to be will depend largely on the kind of business you operate and the level of risk to your supply chain.
It is a good idea to reflect on what kind of security expectations you have of your own business and consider how many of these you think your suppliers are actually meeting.
Until you start having conversations with your suppliers and understand their security frameworks better, you won't have a good idea of how secure your supply chain is.
If you don't have one already, spend some time creating a detailed supply chain cyber security policy outlining all your expectations and requirements for their cyber and information security.
Transparency is the key to a trusted supplier relationship, so be clear about what you need from your suppliers and don't forget to demonstrate your own security levels - they'll want to know you're secure too!